The Risk of LOPA and SIL Classification in the process industry

Mary Kay O’Connor Process Safety Center

International Symposium

Beyond Regulatory Compliance, Making Safety Second NatureOctober 28-29, 2008

Chris PietersenSafety Solutions Consultants BV

pietersen@safety-sc.com

Chris Pietersen

Director SSC (before : TNO SSC)

> TU Delft, Shell (Process Control)> 25 year in safety, TNO senior Research Fellow> Accident investigation (e.g. Bhopal, Mexico LPG)> Member Dutch Advisory Council for Hazardous Material>

Leader Module ‘Industrial Safety’

of official Dutch Safety Education Program

>SSC: Life Cycle Process Safety: Consultant for the Process Industry.

Process Safety Philosophy

Technical: HAZOP, SIL, LOPA, QRA

OrganisationalSafety Management, Learning from incidents

CultureSafety Culture Assessment (SCM)Behaviour

International SIL Standards:

IEC 61508/ 61511: Risk Based Approach

-Evaluate the Risk of a (HAZOP derived) scenario- Determine the required Risk reduction magnitude

- Design or Verify the Risk Control Measure- Implement in Safety Management System

Potential Pitfalls (1)

•

The quality of the HAZOP study–

Team composition/ experience–

As built drawings–

Project budget/ planning–

Inherent Safety–

Credibility, information of LOC scenario’s for SIL/ LOPA

•

The risk analysis capability of the team–

Consequence / frequency assessment–

(In) dependencies in causes and control measures

Potential Pitfalls (2)

•

The SIL verification:–

Functionality check–

(In) dependencies–

PFD calculations

•

Safety management of SIL–

Plan, Do, Check, Act approach–

Procedures and Workinstruction

–

Buncefield explosion (UK): Overfilling of storage tank (December 2005)

–

Texas City disaster: Overfilling of distillation tower (March 2005)

–

Mexico City LPG Disaster : Overfilling a storage sphere (November 1984)

The need for a SIS

The risk of overfilling a vessel Examples from disasters

Overfilling Tank 912

Buncefield Depot 11 December 2005

>

Filling (from pipeline) with ‘motorfuel’

(550-

890 m3/hr)>

Start filling tank: 19.00 hr, overfilling/release: 5.20 hr>

Explosion: 06.01 hr

>

Automatic Overfill protection system failed (levelswitch): IEC 61511: Reliability of (overfill) protection system

>

Main Problem: Safety Management, no risk based approach.

Explosion Texas Refinery, 23 March 2005•

Continued overfilling of the raffinate splitter in the isomerisation during start-up (closed outlet)

•

Opening Relief valves to Blowdown drum and Loss of Containment (200 m3) via ventstack at 36 meter height.

• Explosion and fire, temporary trailers: 15 fatalities/ >170 injured persons

Texas disaster aspects

•

Inherent Safety: vent to non-safe location–

Proposed modification not implemented. –

Post disaster reaction industry: SIL protection overfilling!•

IEC 61508: always consider inherent safety first•

Effort to be put at safe design/ controlled system; remaining risk: SIL

•

HAZOP start-up not performed–

Common practice in industry: only continuous process–

IEC 61508: A systematic Hazard Identification for all Life Cycle

phases is required before the SIL approach is applied.

Inherent Safety Example

SIL Runaway reaction killing systemVenting to non-safe location

•

Level instrumentation bottom splitter (Texas)

–Level transmitter voor Level Control (not functional).–Level indication (control room) via transmitter: failed–High Level Alarm (72%, 2,3 m) : normal functioning–Separate, redundant, hardwired high level alarm (78%, 2,4 m): Failed–Level Sight Glass: not functional (dark residue)–No automatic overfill protection

–IEC 61511 SIL Approach: SIS required–Operator dependence (alarms, sight glass)–Maintenance of safety critical equipment

Texas disaster aspects (2)

Mexico City LPG depot 19 November 1984 Overfilling storage sphere

Consequences of overfilling

500 people killed

BLEVE phenomenum

• No HAZOP• No MOC• No Overfill protection

IEC 61508/ 61511 SIL approach

•

Perform a systematic hazard identification study–

HAZOP study

•

Evaluate the risks of the identified hazards :–

Risk matrix, Risk Graph, LOPA

•

Determine the need for risk reduction :–

Compare with acceptable Risk level

•

Determine the required SIL of the SIS

•

Verify the SIL for the SIS

SeparatorV1

gas

liquid fromUnit 100

liquid fromRecovery unit CV

LC

P-01

LT

liquid

Overfill Example

HAZOP: overfilling can lead to an explosion:1 fatality

4

W3 W2 W1

C1

C2

C3

C4

a - -

1 a -

2 1 a

2 1 a

3 2 1

3 2 1

4 3 2

na 3

P1

P2

P1

P2

F1

F2

F1

F2

Start

Frequency of occurence?Consequences

?

People present?

Escape possible?

Risk reduction for overfill scenario: Result SIL 1

•Team requirements• Company Risk Policy

LT1XV-

01 SeparatorV1

gas

liquid fromUnit 100

Liquidfrom

Recovery unitCV-

02

L

C2

P-01

high level signal

LT2

clos

e

stop

liquid

Proposed Overfill protection system

4 verification requirements:

• Functionality• Independence of Control• Architectural constraints• Probabilistic requirement

Often limited to Probabilistic requirement

Failure frequency verification for SIL 1: PFD < 10-1

(PFD=Probability of Failure on Demand)

PFDSIS

= PFDSens

+ PFDIs

+ PFDPLC

+ PFDvalve + PFDpumpPFD ≈

½

λDU

·T

λ

= failure frequency/ hrT= Proof test interval

PLC I

I

Level transmitter

DU

= 6,0

10-7

/ hSource: SintefIsolator

DU

= 1,5

10-7

/ hSource: ExidaMCC relais

DU

= 2,0

10-7

/ hSource:

SintefSolenoid valve

DU

= 9,0

10-7

/ hSource: SintefValve+ actuator

DU

= 2,1

10-6

/ hSource: Exida PLC

PFD = 5,0

10-3

Source: TÜV Prooftest interval T

4 yearResult: PFDSIS

= 7,8

10-2

PFD < 10-1; Conclusion: SIL 1 probabilistic requirement fulfilled.

PFD calculation

Remarks:• Only one of the four verification requirements • Only if failure rate field data are collected over the lifecycle• Often narrowed to ‘calculations’

The Hitchhiker's Guide to the Galaxy (Douglas Adams)

•

Calculate The Ultimate Answer to The Great Question of Life, the Universe, and Everything.

•

Answer after seven and a half million years' work :

•

Computer: answer is correct : may be you never actually know what the question is!

Failure level control LC-1: Failure (LOC) V7

PSV

7

PSV

1

LC

LC‐1

LCV‐1

HP

Separator

V1

HV‐1

Condensate

Vessel V710 barg

60 barg

• Design pressure V7: 10 bar

• Pressure V7 on loss of level V1: 60 bar

Causes:• IC1: Failure of leveltransmitter• IC2: Opening of manual valve HV-1

•Possible Protection Layers, IPL’s):• Relief valve at V7: PSV-7• Low level alarm of LC-1•

Operator training/ procedure: action after alarm

LOPA aspect: IPL?

Frequency correction:- Presence of the risk(Ptr): 1,0- exposure (Pp): 1,0- Ignition (Pi): 1,0- Vulnerability human: 1,0 Total: 0,8* 10-3/yrIC2: Operator error:

Frequency: 0,8 /yr

PSV: 0,01 Operator: 0,1

IC1: failure LC control:Frequency: 0,1 /yr

Frequency correction:- Presence of the risk(Ptr): 1,0- exposure (Pp): 0,5- Ignition (Pi): 1,0- Vulnerability human: 1,0 Total: 0,5* 10-3/yr

PSV: 0,01

Failure V7 (LOC)

Total:

1,3* 10-3/yr

LOPA results

Is operator an IPL?

?

Determining SIL with LOPA

•

LOC frequency: 1,3 * 10-3

/yr•

Consequences: 5 fatalities •

Acceptation criterium: 10-6

/yr

Required PFD of a SIS:PFDSIS

= 10-6/ 1,3 * 10-3= 0,8* 10-3

(PFDSIS

= 10-6/ 0,85 * 10-3= 1,2* 10-3

with operator IPL)

Result: PFD < 10-3 SIL 3(Result: PFD < 10-2 SIL 2 with operator IPL)

Operator should generally not be seen as an IPL!

Before and after

Furnace

Explosion in furnace, 2003

•

3 people died•

HAZOP/ SIL Classification/ -verification: OK•

The Safety System was wrongly still in override during the start

up of the furnace.

SIL standard not fully implemented: Plan, Do, Check, Act in Safety Management System was lacking.

11th Stamicarbon

Ureum

Symposium 19 –

22 May, 2008, Noordwijk

•

The SIL concept (including the use of LOPA) is often narrowed down to SIL Classification and PFD calculations.

•

It is a danger that the SIL/ LOPA approach becomes the objective

in itself, instead of a means to reach high safety levels.

•

The following main problem areas haven been considered:–

The tendency to go for safety systems instead of more inherent safety–

The quality of the HAZOP/ SIL/ LOPA team–

The unjustified over dependency of operators in safety systems–

The too large emphasis on PFD calculations, losing the real meaning behind it.–

The lack of implementation of HAZOP/ SIL/ LOPA in the companies Safety Management System.

Overall:The risk exists that our safety standards and risk analysis methods are

becoming counterproductive. The effectiveness for safety should be be monitored continuously.

Summary/ Conclusions